AMENDMENTS TO THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims 
in the application: 

Listing of Claims: 



1 1 . (Currently amended) A computer system for tracking network behavior, 

2 comprising: 

3 a processor; and 

4 a storage device storing memory that stores: 

5 a connection table that maps each node host of a network to a 

7 b e tw ee n that node and other nodes t raffic information from the host to 

8 other hosts or from the other hosts to the host in the network for a 

9 specified time interval , and 

10 a profile table that stores historical traffic information as 

11 exponentially weighted moving average values; and 

12 stores information indicating whether the? nodo is operating as a 

13 client or a server. 

14 a merging mechanism configured to merge the record associated with each 

15 host for the specified time interval from the connection table into the historical 

16 traffic information in the profile table. 

1 2. (Previously presented) The computer system of claim 1 wherein the 

2 connection table includes a plurality of records that are indexed by source 

3 address. 
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1 3. (Previously presented) The computer system of claim 1 wherein the 

2 connection table includes a plurality of records that are indexed by destination 

3 address. 

1 4. (Previously presented) The computer system of claim 1 wherein the 

2 connection table includes a plurality of records that are indexed by time. 

1 5. (Previously presented) The computer system of claim 1 wherein the 

2 connection table includes a plurality of records, that are record objects, which are 

3 indexed by source address, destination address and time. 

1 6. (Previously presented) The computer system of claim 1 wherein the 

2 connection table is a plurality of connection sub-tables each sub-table having data 

3 pertaining to network traffic over different time scales. 

1 7. (Previously presented) The computer system of claim 6 wherein the 

2 connection sub-tables include a time-slice connection table that operates on a 

3 small unit of time and at least one other sub-table that operates on a larger unit of 

4 time than the time slice sub-table. 

1 8. (Previously presented) The computer system of claim 7 wherein the at 

2 least one other sub-table holds records received from collectors over the time 

3 scale of the table. 

1 9. (Previously presented) The computer system of claim 5 wherein an 

2 address indexing the connection table comprises an IP address. 
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1 10 (Previously presented) The computer system of claim 1 wherein an 

2 address indexing the connection table includes a physical layer address to IP 

3 address map that is used to determine Host ID. 

1 11. (Previously presented) The computer system of claim 1 wherein a host 

2 record of a first host maps that first host to a second host that communicates with 

3 the first host to a host pair record object that has information about traffic from 

4 the first to the second host and from the second host to the first host. 

1 12. (Previously presented) The computer system of claim 1 wherein the 



2 connection table includes two level mapping that enables a consuming device to 

3 obtain summary information about one host for a first level mapping and about 

4 traffic between any pair of hosts, in either direction, between a first host of the 

5 any pair to a second host of the any pair and from the second host of the any pair 

6 to the first host of the any pair for a second level mapping. 



1 13. (Previously presented) The computer system of claim 1 wherein the 

2 connection table comprises a plurality of host records, a host record stores a 

3 measure of the number of bytes, packets, and connections that occurred between 

4 hosts during a time-period. 

1 14. (Previously presented) The computer system of claim 13, wherein data 

2 in the host record is organized by well known transport protocols and well-known 

3 application-level protocols. 

1 15. (Previously presented) The computer system of claim 13, wherein host 

2 records have no specific memory limit. 
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1 16. (Previously presented) The computer system of claim 1 wherein for 

2 application-level protocols and for every pair of hosts, the connection table stores 

3 statistics for traffic between hosts. 

1 17. (Previously presented) The computer system of claim 16 wherein the 

2 connection table stores protocol-specific records as (protocol, count) key-value 

3 pairs. 

1 18. (Currently amended) A computer system for tracking network 

2 behavior, the computer system comprising: 

3 a processor; and 

4 a storage device storing memory that stores: 

5 a connection table that maps each node host of a network to a 

6 record that stores connection information about traffic to or from the node 

7 and b e tw ee n that nod e and oth e r nod e s that have connections with th e 

8 nede -traffic information from the host to other hosts or from the other 

9 hosts to the host in the network for a specified time interval , and 



10 stores information indicating whether the node is operating as a 

11 client or as a server, 

12 wherein the connection table -table is indexed according to 

13 at least a first one one or more of source address, destination 

14 address and fim ea specified time interval, and 

1 5 wherein the connection table further including in the 

16 includes records fields for storing statistical information for traffic 

17 between-hests r the hosts; and 

18 a profile table that stores historical traffic information as 



19 exponentially weighted moving average values; and 
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20 a merging mechanism configured to merge the record associated with each 

21 host for the specified time interval from the connection table into the historical 

22 traffic information in the profile table . 

1 19 (Previously presented) The computer system of claim 18 wherein the 

2 plurality of records is record objects. 

1 20. (Previously presented) The computer system of claim 1 8 wherein the 

2 connection table is a second plurality of connection sub-tables, each sub-table 

3 having data pertaining to network traffic over different ones of corresponding 

4 second plurality of time scales. 

1 21 . (Previously presented) The computer system of claim 1 8 wherein the 

2 connection sub-tables include a time-slice connection table that operates on a 

3 small unit of time and at least one other sub-table that operates on a larger unit of 

4 time than the time slice sub-table. 

1 22. (Previously presented) The computer system of claim 1 8 wherein the 

2 at least one other sub-table holds records received from collectors in the network 

3 over the time scale of the table. 

1 23. (Previously presented) The computer system of claim 18 wherein an 

2 address indexing the connection table comprises an IP address. 

1 24. (Previously presented) The computer system of claim 23 wherein an 

2 address indexing the connection table includes a physical layer address to IP 

3 address map that is used to determine Host ID. 
4 



6 

AEP: Amendment F RIV-0550 (final OAR).doc 



5 25. (Previously presented) The computer system of claim 18 wherein a 

6 host record of a first host maps that first host to a second host that communicates 

7 with the first host to a host pair record that has information about traffic from the 

8 first to the second host and from the second host to the first host. 

1 26. (Previously presented) The computer system of claim 18 wherein the 



2 connection table includes two level mapping that enables a consuming device to 

3 obtain summary information about one host for a first level mapping and about 

4 the traffic between any pair of hosts, in either direction, between a first host of the 

5 any pair to a second host of the any pair and from the second host of the any pair 

6 to the first host of the any pair for a second level mapping. 



1 27. (Previously presented) The computer system of claim 18 wherein the 

2 connection table comprises a plurality of host records, a host record stores, a 

3 measure of the number of bytes, packets, and connections that occurred between 

4 hosts during a time-period. 

1 28. (Previously presented) The computer system of claim 27 wherein data 

2 in the host record is organized by well known transport protocols and well4aiown 

3 application-level protocols. 

1 29. (Previously presented) The computer system of claim 28 wherein for 

2 application-level protocols and for every pair of hosts, the connection table stores 

3 statistics for traffic between hosts. 

1 30 (Previously presented) The computer system of claim 28 wherein the 

2 connection table stores protocol-specific records as (protocol, count) key-value 

3 pairs. 
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